Juniper Networks Remote Code Execution Exploit Detection

Try in Splunk Security Cloud

Description

The following analytic detects the exploitation of a remote code execution vulnerability in Juniper Networks devices. The vulnerability involves multiple steps, including uploading a malicious PHP file and an INI file to the target server, and then executing the PHP code by manipulating the PHP configuration via the uploaded INI file. The analytic specifically looks for requests to /webauth_operation.php?PHPRC=*, which are used to upload the files and execute the code, respectively. This behavior is worth identifying for a SOC because it indicates that an attacker is attempting to exploit the vulnerability to gain unauthorized access to the device and execute arbitrary code. If a true positive is found, it suggests that an attacker has successfully exploited the vulnerability and may have gained control over the device, leading to data theft, network compromise, or other damaging outcomes. Upon triage, review the request parameters and the response to determine if the exploitation was successful. Capture and inspect any relevant network traffic and server logs to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks.

• Type: TTP
• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Web
• Last Updated: 2023-08-29
• Author: Michael Haag, Splunk
• ID: 6cc4cc3d-b10a-4fac-be1e-55d384fc690e

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1190	Exploit Public-Facing Application	Initial Access

T1105

Ingress Tool Transfer

Command And Control

T1059

Command and Scripting Interpreter

Execution

Kill Chain Phase

• Delivery
• Command and Control
• Installation

NIST

• DE.CM

CIS20

• CIS 13

CVE

ID	Summary	CVSS
CVE-2023-36844	A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to control certain, important environments variables.

Utilizing a crafted request an attacker is able to modify

certain PHP environments variables leading to partial loss of integrity, which may allow chaining to other vulnerabilities. This issue affects Juniper Networks Junos OS on EX Series:

• All versions prior to 20.4R3-S9;
• 21.2 versions prior to 21.2R3-S6;
• 21.3 versions

prior to

21.3R3-S5;

• 21.4 versions

prior to

21.4R3-S5;

• 22.1 versions

prior to

22.1R3-S4;

• 22.2 versions

prior to

22.2R3-S2;

• 22.3 versions

prior to 22.3R3-S1;

• 22.4 versions

prior to

22.4R2-S2, 22.4R3.

None
CVE-2023-36845	A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series

and SRX Series

allows an unauthenticated, network-based attacker to control certain, important environments variables.

Utilizing a crafted request an attacker is able to modify a certain PHP environment variable leading to partial loss of integrity, which may allow chaining to other vulnerabilities.

This issue affects Juniper Networks Junos OS on SRX Series:

• All versions prior to 21.4R3-S5;
• 22.1 versions

prior to

22.1R3-S4;

• 22.2 versions

prior to

22.2R3-S2;

• 22.3 versions

prior to

22.3R2-S2, 22.3R3-S1;

• 22.4 versions

prior to

22.4R2-S1, 22.4R3;

• 23.2 versions prior to 23.2R1-S1, 23.2R2.

None
CVE-2023-36846	A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity.

With a specific request that doesn't require authentication an attacker is able to upload arbitrary files via J-Web, leading to a loss of

integrity

for a certain 

part of the file system, which may allow chaining to other vulnerabilities.

This issue affects Juniper Networks Junos OS on SRX Series:

• All versions prior to 20.4R3-S8;
• 21.2 versions prior to 21.2R3-S6;
• 21.3 versions

prior to

21.3R3-S5;

• 21.4 versions

prior to

21.4R3-S5;

• 22.1 versions

prior to

22.1R3-S3;

• 22.2 versions

prior to

22.2R3-S2;

• 22.3 versions

prior to

22.3R2-S2, 22.3R3;

• 22.4 versions

prior to

22.4R2-S1, 22.4R3.

None
CVE-2023-36847	A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity.

With a specific request that doesn't require authentication an attacker is able to upload arbitrary files via J-Web, leading to a loss of

integrity

for a certain

part of the file system, which may allow chaining to other vulnerabilities.

This issue affects Juniper Networks Junos OS on EX Series:

• All versions prior to 20.4R3-S8;
• 21.2 versions prior to 21.2R3-S6;
• 21.3 versions

prior to

21.3R3-S5;

• 21.4 versions

prior to

21.4R3-S4;

• 22.1 versions

prior to

22.1R3-S3;

• 22.2 versions

prior to

22.2R3-S1;

• 22.3 versions

prior to

22.3R2-S2, 22.3R3;

• 22.4 versions

prior to

22.4R2-S1, 22.4R3.

None

Search

| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/webauth_operation.php?PHPRC=*") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype 
| `drop_dm_object_name("Web")` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `juniper_networks_remote_code_execution_exploit_detection_filter`

Macros

The SPL above uses the following Macros:

• security_content_ctime

juniper_networks_remote_code_execution_exploit_detection_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• Web.http_user_agent
• Web.status
• Web.http_method
• Web.url
• Web.url_length
• Web.src
• Web.dest
• sourcetype

How To Implement

To implement this search, ensure that the Web data model is populated. The search is activated when the Web data model is accelerated. Network products, such as Suricata or Palo Alto, need to be mapped to the Web data model. Adjust the mapping as necessary to suit your specific products.

Known False Positives

Be aware of potential false positives - legitimate uses of the /webauth_operation.php endpoint may cause benign activities to be flagged.The URL in the analytic is specific to a successful attempt to exploit the vulnerability. Review contents of the HTTP body to determine if the request is malicious. If the request is benign, add the URL to the whitelist or continue to monitor.

Associated Analytic Story

• Juniper JunOS Remote Code Execution

RBA

Risk Score	Impact	Confidence	Message
72.0	90	80	This analytic has identified a potential exploitation of a remote code execution vulnerability in Juniper Networks devices on $dest$ on the URL $url$ used for the exploit.

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US
• https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-36844.yaml
• https://thehackernews.com/2023/08/new-juniper-junos-os-flaws-expose.html
• https://github.com/watchtowrlabs/juniper-rce_cve-2023-36844
• https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1